<div dir="ltr">Adriano: Are you aware of any RIRs that are also CAs? I'm not sure I am, and the 3.2.2.4.12 only applies if the CA is the Registrar, which is the equivalent function (approximately) within DNS as the RIR within the IP address space*.<div><br></div><div>If you take your description and apply its counterpart to DNS, we would say:</div><div>"If a CA is also a domain name registrant and is managing its own domains, the CA can know with certainty that the Applicant controls its domain name."</div><div><br></div><div>Which we'd quickly see as silly, because that would bypass any domain validation at all!</div><div><br></div><div><div>Methods 3.2.2.5.2 / 3.2.2.5.5 allow you to retrieve the relevant AS records from the RIR and use that to perform the validation activities. However, because the AS records are maintained by the RIR, unless you are the RIR, you can't correctly implement an "Authorization to manage the AS record is authorization to issue" (akin to the 3.2.2.4.12 method you mention) without some demonstration of proof you can manage the AS record - which is what 3.2.2.5.2 / 3.2.2.5.5 are trying to work around.</div><div><br></div><div>Not sure if any of this made sense, but hopefully?</div><div><br></div><div>* Yes, this blurs the registrar / registry distinction, but the RIRs don't subdelegate the master registration functions in the way the DNS registrar/registry split does, and everyone working with the RIR is effectively a direct registrant.</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 4, 2020 at 5:14 AM Adriano Santoni via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><font face="Calibri">Hi all,</font></p>
<p><font face="Calibri">I have a doubt regarding the validation of
IP addresses. <br>
</font></p>
<p><font face="Calibri">Maybe I am just overlooking some word or
sentence in the BR that solves my doubt, but right now I just
cannot see it.<br>
</font></p>
<p><font face="Calibri">Among the methods allowed by the BR for the
validation of domains, we have method #12:</font></p>
<p><font face="Calibri">"</font><font face="Calibri">3.2.2.4.12
Validating Applicant as a Domain Contact</font></p>
<p><font face="Calibri">Confirming the Applicant's control over the
FQDN by validating the Applicant is the Domain Contact. This
method may only be used if the CA is also the Domain Name
Registrar, or an Affiliate of the Registrar, of the
Base Domain Name."</font></p>
<p><font face="Calibri">If I am not overlooking anything, it seems
that we do not have a similar method for IP addresses, and my
doubt is then "why".<br>
</font></p>
<p><font face="Calibri">If a CA is also an Autonomous System and is
directly managing a dedicated server - on a specific IP address
- for the Applicant, the CA knows </font><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri">with
certainty </font></font></font><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri">that the Applicant
controls such IP address, based on its records.<br>
</font></font></font></font></font></font></font></p>
<font face="Calibri">TIA for any hints and remarks,</font>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<p><font face="Calibri"></font><br>
</p>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote></div>